GOODmen
Member | Редактировать | Профиль | Сообщение | ICQ | Цитировать | Сообщить модератору #!/bin/sh # # cmd="./ipfw add" adm="172.16.0.1/24" lan1="172.16.1.0/24" lan2="172.16.2.0/24" lan="172.16.0.1/21" port1="53,88,749,123,135,137" #20,21, port2="139,389,445,1433,1434,1512,2371" # portudp="53,67,68,88,123,135,137,138,389,1434" #749 # First flush the firewall rules ./ipfw -q -f flush #Localhost rules $cmd 100 pass all from any to any via lo* # Prevent any traffic to 127.0.0.1, common in localhost spoofing $cmd 110 deny log all from any to 127.0.0.0/8 in $cmd 120 deny log all from 127.0.0.0/8 to any in #$cmd check-state #$cmd pass all from me to any out keep-state # $cmd count log ip from any to any # allow tcp FTP(20-21),DNS(53),Kerberos,Kerberos-adm,netbios-ns $cmd allow tcp from $lan to $lan $port1 $cmd allow tcp from $lan $port1 to $lan # allow tcp netbios-ssn,LDAP,microsoft-ds,mssql,WINS,drweb $cmd allow tcp from $lan to $lan $port2 $cmd allow tcp from $lan $port2 to $lan #allow web, proxy, mail $cmd allow tcp from $lan to $lan 9025,9110,8025,8110,7025,7110,5025,5110 # маппинг портов через почтовик $cmd allow tcp from $lan 9025,9110,8025,8110,7025,7110,5025,5110 to $lan # на mail.ru и прочие $cmd allow tcp from any to any 25,80,110,443 $cmd allow tcp from any 25,80,110,443 to any $cmd allow tcp from $lan to $lan 8080,8081 $cmd allow tcp from $lan 8080,8081 to $lan # allow RADMIN #$cmd allow tcp from $adm to me 4899 $cmd allow tcp from $adm to me 4899 in via eth0 $cmd allow tcp from me 4899 to $adm out via eth0 # allow Jive admin $cmd allow tcp from $adm to $adm 9090,9091 #allow cpanel $cmd allow tcp from me to site.ru 2082 via ppp0 $cmd allow tcp from site.ru 2082 to me via ppp0 #allow FTP $cmd allow log tcp from any to any 20 $cmd allow log tcp from any 20 to any $cmd allow log tcp from any to any 21 $cmd allow log tcp from any 21 to any # пытался сделать чтоб нужные порты для ФТП сами открывались #$cmd allow log tcp from any to me 21 setup #$cmd allow log tcp from any to me 25500-25502 setup #$cmd allow log tcp from me 1024-65535 to any setup # ftp, pop, http, smtp, ntp, https, icq, http-proxy, ftp-passive #$cmd allow log tcp from me to any 20,21,25,80,110,119,443 keep-state #$cmd allow log tcp from me to any 1024-65535 keep-state # allow RPC $cmd allow tcp from $lan to $lan 1024,1025,1026,1050 $cmd allow tcp from $lan 1024,1025,1026,1050 to $lan # allow udp DNS,DHCPs,DHCPc,Kerberos,Kerberos-adm,netbios-ns,netbios-dgm, $cmd allow udp from any to any $portudp $cmd allow udp from any $portudp to any #JABBER+IRC $cmd allow tcp from any to any 4242,4661,4662,4663,4664,4665,5190,5222,5223,6667 $cmd allow tcp from any 4242,4661,4662,4663,4664,4665,5190,5222,5223,6667 to any #ICMP #$cmd allow icmp from any to any icmptypes 0,3,4,8,11 $cmd allow icmp from any to any $cmd deny log all from any to any |